Limiting Self-Propagating Malware Based on Connection Failure Behavior through Hyper-Compact Estimators

TL;DR

This paper introduces hyper-compact estimators using double-bitmap and shared register array data structures to efficiently and accurately measure connection failure rates, aiding in the defense against self-propagating malware.

Contribution

It presents novel memory-efficient estimators for connection failure rate measurement, improving accuracy and scalability for worm defense mechanisms.

Findings

Double-bitmap estimator offers good accuracy with small memory footprint.

Shared register array estimator achieves larger estimation range and higher efficiency.

Proposed methods enhance rate-limit algorithms for worm containment.

Abstract

Self-propagating malware (e.g., an Internet worm) exploits security loopholes in software to infect servers and then use them to scan the Internet for more vulnerable servers. While the mechanisms of worm infection and their propagation models are well understood, defense against worms remains an open problem. One branch of defense research investigates the behavioral difference between worm-infected hosts and normal hosts to set them apart. One particular observation is that a worm-infected host, which scans the Internet with randomly selected addresses, has a much higher connection-failure rate than a normal host. Rate-limit algorithms have been proposed to control the spread of worms by traffic shaping based on connection failure rate. However, these rate-limit algorithms can work properly only if it is possible to measure failure rates of individual hosts efficiently and accurately. This paper points out a serious problem in the prior method. To address this problem, we first propose a solution based on a highly efficient double-bitmap data structure, which places only a small memory footprint on the routers, while providing good measurement of connection failure rates whose accuracy can be tuned by system parameters. Furthermore, we propose another solution based on shared register array data structure, achieving better memory efficiency and much larger estimation range than our double-bitmap solution.